Sauna Writeup — HackTheBox

Made by RebornSec ®

Machine Maker(s) :

• egotisticalSW

Overview :

• Retrieving some information from the webpage
• Enumerating LDAP and finding users
• Getting the hash password of our wanted user
• Login as fsmith
• We getUser.txt
• Finding password in logon registry
• Login as svc_loanmgr
• Uploading mimkatz and grabbing the Administrator NLTM hash
• Login as Administrator using Evil-winrm
• We get Root.txt

Enumeration phase :

As usual let’s start with the Nmap scan :

[~] Nmap -sC -sV 10.10.10.175

Several ports are open, let’s start with port 80 :

Seems to be a website of a bank !

Ldap is open let’s check it using nmap :

Some interresting information apears let’s dig more :

Seems to Hugo Smith is our wanted user, lets valid it by making a combination of this name usernames.lst then using impacket tool GetNPUsers.py :

hsmith is our valid user lets try to find out the password by making other combination of users existed on the website :

And we got our wanted password hash :

Let's decrypt it using john :

We got the credential : fsmith:Thestrokes23

Now lets login using Evil-winrm :

And we got our user.txt !

Root phase :

To look for a way to root the box i uploaded enumeration tool winpeas :

When i run it i found a credential in the registry :

I tried this password with svc_loanmnager but it didn’t work so i checked the other users in the box using net user :

So our second valid user is svc_loanmgr then i tried to login with it :

Using mimikatz i could get the NTLM hash of the Administrator so i upload it to the machine, for thouse who doesn’t know mimikatz this the official project :

Releases · gentilkiwi/mimikatz

Running mimikatz into the user administrator i got the NTLM hash :

It’s time to login using that hash :

And we are successfully rooted the box !